I'm usually not surprised by recommendations made by Congressional Committees since they are usually telegraphed long before they actually come out, but we occasionally get one that isn't. The U.S.-China Economic and Security Review Commission, in their annual report to Congress, made one that got my attention: [That] Congress assesses the coverage of U.S. law to determine whether U.S.-based companies that have been hacked should be allowed to engage in counterintrusions for the purpose of recovering, erasing, or altering stolen data in offending computer networks.
For some reason, I never heard this discussed by business interests or government. Hacking back has always been a troublesome area for industry. For one thing, it requires a good bit of technical expertise and a long-term investment in maintaining a capability that exceeds most business interests. Second, in the case of China, it requires hacking back against entities that are part of, or funded by, the central government. Companies that have business interests in China generally don't want to do that, though they are probably in a better position to do it than companies that don't. They have networks there already.
It seems to me there is a better way to make sure stolen data isn't used. Encrypted data is one way. The OPM database of security clearance data should have been encrypted, as should almost any trade secret data that is needed for a company to maintain a competitive advantage over its competitors. Most data management systems have some type of encryption available and it is not hard to use. I have heard IT shops argue that encryption is "too hard" but they haven't tried it.
Cliff Stoll, who years ago wrote the Cuckoo's Egg, suggested the addition of bogus records that if ever accessed, trigger a security alarm. We tried that in a couple of places and it turned up a couple of scavengers searching for things that were none of their business. One of them could prove it wasn't him, so we were sure that one was a hacker using his credentials. That is a good start.
There are other ways to achieve the objective without starting a hacker war with the Chinese, but I'm wondering where this idea came from.
No comments:
Post a Comment